If you want senior executives to buy into cybersecurity, you need to prove the value cybersecurity brings to the core business. Reading your organisation’s annual reports, corporate governance documents and shareholder statements will give you a better sense for what drives your organisation and, in turn, what your executives are thinking about.

You’ll likely find that cybersecurity shows up in these documents but not around specific attacks, zero-days, and APTs. Instead, you may see verbiage about material harm, risk statements around maintaining effective cybersecurity controls, protecting confidentiality and privacy, and the need to safeguard sensitive data.

New ISACA and CMMI Institute research on cybersecurity culture is full of attention-grabbing perspectives and stats regarding the value of a strong cybersecurity culture, such as reduced cyber incidents, stronger customer trust and better brand reputation. This study made me think about how a cybersecurity culture is created and what a cybersecurity team needs within its organisation to earn the support and resources required for a cybersecurity culture.

In the study, 27 per cent of 4,800 IT professionals from around the globe reported that “a lack of senior executive buy-in or understanding” is one of the primary factors inhibiting a strong culture of cybersecurity.

Gaining that buy-in requires proving that the cybersecurity investments being made are addressing these overarching concerns in a measurable, quantitative, and evidence-based way. By clearly illustrating what’s working, what’s not, and what needs to be done to fix it with evidence, you’re showing leadership that you not only understand the business risks, but you know how to measure and communicate those risks effectively, so business decision-makers can act upon them. If you want their buy-in, give them the proof they need to understand and act.

29% INDICATED “a lack of funding” is one of the primary factors inhibiting a strong culture of cybersecurity.

At some point, you may actually need money to effect change. Third party auditors and the board’s audit committee work closely with the finance team. Every dollar being spent on cybersecurity is a dollar not being spent on the core business. So, one of the jobs of audit, finance, and the cybersecurity team is to make sure that the dollars being spent on cybersecurity are adequate and effective in providing value.

As mentioned earlier, these groups are looking for proof that the cybersecurity tools in place are adding enough value to mitigate an acceptable level of cyber risk. To do this, clearly outline where the gaps are, and then you can make a business case for greater investment to close those gaps. Now a business decision can be made, considering all your evidence, along with all the other non-cybersecurity business requirement evidence from business units such as sales, finance, and operations, to determine the best use of funds.

43% SAID that “executive champions who speak up for security” are a primary factor in empowering a culture of cybersecurity.

This championing enabler for cybersecurity should be a byproduct of providing the needed proof in the first two sections. As a business leader, if I believe in what you are doing because of the supplied evidence, and I’m willing to invest dollars because your measures are empiric, understandable, and compelling, then I’m far more likely to champion your cybersecurity cause throughout the organisation.

Executives want an appropriate level of protection. Too far beyond appropriate and that’s waste, and executives that waste aren’t executives for long. By arming executives with proof to champion your cybersecurity cause, you can gain an ally to work with the audit committees and risk committees. Focus on articulating the value of cybersecurity and the necessity for changes you’ve proven are required to ensure protection for the organisation’s sensitive assets and data.

 The two inhibitors and enabler I explored have something in common: they are directly impacted by decision-makers outside of the cybersecurity team. These decision-makers might include auditors, CFOs, CEOs, boards, and other business leaders. Business leaders evaluate risk for a living—cyber risk is just one flavor of risk. When they are making decisions around cybersecurity such as where to invest, how much to invest, and how to prioritise, business leaders want to be armed with evidence just like they do for other types of risk. They don’t want to base these decisions on a best guess regarding cybersecurity effectiveness. Business leaders need evidence-based metrics and quantifiable data. They want quantitative proof before they engage their time and organisational resources, regardless of how strong the qualitative argument might be.

By proving cybersecurity effectiveness, cybersecurity becomes strategic to the business and will in turn benefit the core business in areas like reducing cyber incidents, building stronger customer trust, and safeguarding brand reputation.

Brian Contos
Brian Contos is a seasoned executive, board advisor, entrepreneur, and author with over two decades of experience in the security industry. He is also currently the CISO & VP Product Innovation at Verodin.